Embracing the Cloud's Potential for Security

June 17, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

I spoke recently at TIA’s Network of the Future conference. At the session, which was heavier on vendors than operators, the discussion was very focused on the cloud. Everyone wants to know what’s coming next and if they’re ready for it.

The accelerating cloud transition is both good and bad for data security teams. It’s good, because it’s an opportunity to prepare and defend a dynamic platform that can be far more secure than the static legacy platforms that many organizations are defending today. It’s bad because if we mess up in the cloud, it’s potentially a huge number of organizations and individuals who could be at risk.

There’s a lot of concern over what the cloud means, but this should not be a scary time. We can capitalize on this opportunity to deploy a hardened cloud that will comply with new standards like FedRAMP and PCI mobile services. This will take careful risk assessment, more secure application development and integration of more nimble monitoring and active security response.

All sustainable security programs are based on “defense in depth,” with static border protection and access control supplemented by dynamic monitoring programs that constantly analyze new threats and suggest the appropriate responses.

The same principle applies to organizations that are serious about protecting customer information. Many recent breaches have been executed with sophisticated, zero-day malware exploits that were undetectable by antivirus solutions. If the cloud is breached, we need active monitoring to make sure the bad guys aren’t running wild undetected.

The biggest remaining obstacle to creating a secure cloud is our inability to conduct risk assessments of integrated third parties. We’ve seen with multiple recent breaches – again this month with AT&T – that the easiest way into a company’s system can be through its connected vendors. The entire ecosystem has to be secured. 

At its simplest, cloud security begins with a clear allocation of responsibilities between the customer and a cloud service provider (CSP):

  • Identify where your data will be stored. Compliance laws and regulatory standards may require information to be stored only within the United States.

  • Ensure adequate physical security. The “cloud” is simply a bank of servers stored somewhere else. Verify they are safe.

  • Enforce access controls. The cloud user should know who has access to stored data, how they are screened, and the training programs that are in place.

  • Verify CSPs are monitoring the flow of data and using alerts to identify breaches, track user activity, and enforce accountability for user actions.

Coalfire has conducted thousands of assessments of virtualization architecture for clients in a wide range of industries. Contact us today if you’re serious about protecting your data and thinking through your own cloud migration plans.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics